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VISUALIZING SECURITY INCIDENTS IN A COMPUTER NETWORK 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This application claims the benefit of U.S. provisional patent application no. 
60/271,891, filed February 27, 2001, incorporated herein by reference, including the color 
figures filed therein. This application is related to commonly-assigned U.S. patent 

application no. , filed February 26, 2002, and entitled "Visualizing The Mission 

Impact Arising From Security Incidents In A Computer Network." 

COPYRIGHT NOTICE 

A portion of the disclosure of this patent document contains material that is subject to 
copyright protection. The copyright owner has no objection to the facsimile reproduction by 
anyone of the patent document or the patent disclosure, as it appears in the Patent and 
Trademark Office patent files or records, but otherwise reserves all copyright rights 
whatsoever. 

FIELD OF THE INVENTION 

The present invention is directed to increasing a user's situation awareness in the field 
of information assurance. Specifically, the present invention is directed to increasing the 
ability of an information analyst, responsible for preventing security breaches, to analyze 
large quantities of data describing previous security events and to assess the organizational 
impact of potential security breaches. 

BACKGROUND OF THE INVENTION 

Effective cyber defense (i.e., the defense of an organization's information technology 
infrastructure against a variety of security breaches) is aided by the following kinds of 
information: i) information that permits accurate perception of the overall security state of 
the organization's information infrastructure; ii) comprehension of current and past security 
incidents and of their impact on the organization's overall mission or goals; and iii) 
projection of the effects on the organization's overall mission or goals of both unmitigated 
security incidents and of the courses of action that may be taken to counteract those 
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incidents. Comprehension of these and other types of information provides an organization's 
information analyst with what may be referred to as "situational awareness." 

Situational awareness does not come easily, especially in an area of expertise as new 
as information assurance. Currently available security tools are good at providing data, but 
they do not provide an integrated picture to the user. For example, published PCT 
application, with international publication number WO 00/05852 and a publication date of 
Feb. 3, 2000, discloses software programs designed for active or passive LAN/WAN 
monitoring and visual displays, but does not show an integrated visual display which allows 
the user to see the "big picture" of the infrastructure's security state. Likewise, U.S. Pat. No. 
5,361,385 discloses software for displaying images in 3-D but does not show a visual display 
that would be useful to an information analyst. 

Since visual representations are known to be generally useful in assisting in the 
comprehension of information, particularly if the information is complex or voluminous, 
there exists a need to apply visual representational techniques to facilitate situational 
awareness in cyber defense. 

SUMMARY OF THE INVENTION 

Visual representations can be useful in helping an analyst to form a mental model of 
past and current security incidents and also in projecting the impact of those incidents on the 
ability to achieve a final objective or mission goal. In order to facilitate an analyst's 
situational awareness, visual displays should provide the analyst with the ability to integrate 
data from many sources, correlate that data and to otherwise see the overall security state of 
the organization's information technology infrastructure. 

Analysts often find that knowledge of previous security incidents helps them to assess 
the nature and sophistication of a current or future threat, the timing of an attack, and the next 
likely steps in the attack sequence. To achieve situational awareness an information analyst 
must form a mental model or picture of the information such that he or she can assess new 
information and project its effect, if any, on the organization's information technology 
infrastructure. This often requires the analyst to visualize and correlate a myriad number of 
data points from a multitude of information sources. 
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According to one aspect of the invention, a method of visualizing information about 
the security of a network is provided. The method includes providing a 3-D visualization 
tool for simulating 3-D space on a two dimensional display device. The tool accesses a 
database which relationally associates security events with network elements, wherein each 
said security event is associated with at least one of a plurality of categories of security 
events. At least some of the categories of security events are visually depicted in a first 
section of simulated 3-D space, and at least some of the network elements are visually 
depicted in a second section of simulated 3-D space. Association lines are displayed in the 3- 
D simulated space between one or more displayed categories of security events and one or 
more displayed network elements, to thereby facilitate human perception of patterns in the 
security events/information. 

The database preferably includes temporal information reflecting a time at which 
each security event occurred. In addition, the database may also store a variety of additional 
properties or characteristics of the network elements. 

In preferred embodiments, the aforesaid first section of simulated 3-D space displays 
a first graph having a security event category axis and a temporal axis. Each displayed 
security event is visually indicated at a position on the graph corresponding to the category 
and time of the security event. The second section of simulated 3-D space displays a second 
graph having an axis pertaining to a first property of the network element and an axis 
pertaining to a second property of the network element. For example, one property may be 
information for correlating the network element with a role in, or department of, the 
organization. Another property may be location information for indicating the physical 
location of the network element. The graphical objects representing network elements are 
displayed on the second graph at axes positions corresponding to the first and second 
properties thereof. The association lines are drawn between the first graph and the second 
graph. 

As used herein, the term "security event" refers to any vulnerability, suspicious 
activity or actual breach that constituted a real or potential threat to the computerized 
information resources of an organization. Also, as used herein, the term "mission impact" 
refers to an actual or perceived impact of a security event on tasks that are critical to the 
performance of an organization's objective or mission. Definitions of other terms used 
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herein are provided below, in context. The term "organization" as used herein refers to an 
individual, collection of individuals, company, corporation or any other joint or separate 
effort the objective of which is the fulfillment of a mutually beneficial task. 

The visual representations according to the present invention are designed in 3D 
5 space and utilize numerous visual attributes of geometric objects to carry meaning in the 
visualization. Some of the visual attributes according to the present invention include 
shape, position, motion, size, dynamic size changes that express growth or shrinking, 
orientation, color, transparency, texture and blinking. The invention is not limited to these 
visual attributes and other attributes, as known generally in the field of data visualization, can 
10 be used. These visualization attributes are used, according to the present invention, to 
symbolize a given aspect of the monitored computer operations and the dynamic changes 
thereto. For example, a cube can indicate a router and a blinking cube can indicate a router 
under attack. Various colors, e.g., red, yellow, green, blue, black, etc., or a combination of 
two or more colors, can be used to show how many times the same router previously had 
15 been under attack or to show any other visual attribute. One of the most compelling 
attributes of a 3-D visualization, as provided by the present invention, is its ability to render a 
perspective that can be viewed from a virtually unlimited number of observation points. 


m 

is 

q 

More specifically, the objects in a 3-D representation can be viewed from the front, back, 

rti 

m 


left, right, top, and bottom as well as any other position in 3-D space. In contrast, 2-D 


Q 20 representations cannot provide a perspective view and the number of 2-D views is severely 
limited in comparison to 3-D. 


Temporal Displays 

According to one embodiment of the present invention, a temporally-oriented 
visualization has some or all of the following capabilities with respect to analyzing past or 
25 present security breaches: 

• User-selectable time gradations (such as, for example, seconds, minutes, hours, days, 
months) 

• User-selectable time range (such as, for example, from May 1 through June 15) 

• User ability to annotate time grid (such as, for example, with milestones such as "June 13 
30 - Checkpoint firewall vulnerability becomes public") 
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• Ability to relate specific security events to time (such as, for example, showing specific 
times that various probes occurred) 

• Ability to relate the characteristics of security events to time (such as, for example, 
showing the times at which certain types of attacks are most prevalent) 

5 • Ability to relate target characteristics to time (such as, for example, showing time periods 
during which specific operating systems or locations were attacked) 

• Ability to relate attack sources to time (such as, for example, showing period of time 
when certain attacker IP addresses are active) 

• Ability to simultaneously relate types of security incidents, targeted resources and attack 
10 sources to specific time periods (such as, for example, depict the exact time and the order 

that specific workstations were probed, show both the operating system and location of 
I** the targeted workstations, and highlight any known information about the attack source) 

)m • Depict frequencies of specific classes of incidents 

• View sequence of incidents irrespective of absolute time (such as, for example, at 
hQ 15 Hanscom site #125, these events occurred in sequence from May 1-7) 

m 

• Depict duration of events (such as, for example, length of Denial of Service [DOS] 
attacks on February 6-12) 

f 1 • Simultaneously compare patterns of events over multiple user-specified time ranges (such 

ill 

j-jgj as, for example, compare number of probes during April 1-7, May 1-7, June 1-7) 

20 • Show time lapse between exposure or vulnerability and a related security event 

• Show differences between two user-selected times (such as, for example, show 
differences in vulnerabilities on a specific network on April 1 and June 1). 


in 


Mission Impact Displays 

According to a further embodiment of the present invention, an alternative way of 
25 assessing computer security events is to view information about the impact of a potential 
security event on a specific goal or objective, referred to herein as a "mission impact." 

According to one aspect of the invention, a method of visualizing mission impact(s) is 
provided. The method includes: mapping computer system resources to one or more 
business functions of the organization; representing each computer system resource and each 
30 business function with a graphical object; displaying the graphical objects on a display 
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device; and displaying relationship lines between the graphical objects in accordance with the 
dependencies between the computer system resources and the business functions. 

In accordance with another aspect of the invention, each computer system resource 
and each business function is represented with a graphical object selected from one of two 
classes of visually distinct objects, one class for each of the computer system resources and 
business functions. Each class of graphical objects is displayed in a separate layer of a 
simulated 3-D space on a display device. In response to a user selecting one of the displayed 
objects, relationship lines are displayed between the selected graphical object and any other 
displayed object associated therewith in accordance with the mapping relationship between 
the computer system resources and the business functions. 

In order to further refine and present visual representations of mission impacts, 
terminology is herein introduced to distinguish between various types of computer system 
resources, such as, for example, hardware devices, software applications, databases, network 
services and connectivity. Such resources are categorized into three major categories: 

i) A "network device" as used herein refers to a hardware platform used for 
information technology. A device can be a workstation, printer, router, etc. 

ii) A "simple resource" as used herein refers to a single application, database, service 
or file provided by a single device. A simple resource typically resides on one network 
device. However, a single network device can support one simple resource (such as, for 
example, hosting personnel files for the entire organization) or it can support many simple 
resources (such as, for example, hosting word processing applications, accounting 
applications, and budget data for a specific department). 

iii) A "compound resource" is more complex and represents a service to an 
organization (such as, for example, e-mail service or web access). A compound resource 
requires one or more network devices and simple resources and/or other compound 
resources, to provide its service. 

According to a preferred embodiment of the present invention, a mission impact 
visualization has some or all of the following capabilities: 

• Illustrate dependencies between types of computer system resources and mission-critical 
tasks; 
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• Highlight dependence of a specific mission-critical task on computer system resources 
(such as, for example, show all the specific resources that are required for a specific 
mission-critical task); 

• Highlight resource to missions dependencies (such as, for example, show all the mission- 
critical tasks that depend on a single specific resource); 

• Provide user with ability to select the level of granularity he or she wishes to see 
regarding the dependencies between mission-critical tasks and resources (such as, for 
example, collapse and expand across devices, simple resources, compound resources and 
mission-critical tasks); 

• Show strength of dependencies (low, medium, high) between resources and mission- 
critical tasks; 

• Show "and/or" dependencies between resources and mission-critical tasks (such as, for 
example, to generate a military Air Tasking Order informing military pilots of their 
destination(s) and itinerary, one needs the Joint mapping application for showing pilots 
images of their destination(s) in order to facilitate their recognition thereof, and either (1) 
access to the imagery database or (2) a printer and access to a secure fax machine); 

• Show redundancies and substitutability of resources needed to support mission-critical 
tasks; 

• Depict how the strength of a mission-critical task's dependence on specific resources 
varies based on the phase of a mission (such as, for example, the mapping application is 
only needed in the first phase of planning, whereas access to situation reports is needed 
throughout the entire planning process); 

• Depict the sequential order in which specific resources are needed for mission-critical 
tasks (such as, for example, imagery files must be accessed by users before mission 
planning packages are put together). 

The embodiments of the present invention are further discussed below. Although the 
present invention is directed toward visual aids for the presentation and correlation of data in 
the information assurance field, it will be apparent to one skilled in the art that the visual aids 
of the present invention can be applied to any field where the visual presentation and 
correlation of data will enhance the user's situational awareness. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated in the figures of the accompanying drawings which are 
meant to be exemplary and not limiting, in which like references are intended to refer to like 
or corresponding parts, and in which: 
5 FIG. 1 shows the front view of a temporal display according to an embodiment of the 

present invention showing time that specific security events occurred and the targets of their 
attacks; 

FIG. 2 shows the rear view of a temporal display according to an embodiment of the 
present invention showing times that specific attackers are active; 
10 FIG. 3 shows the top down view of a temporal display according to an embodiment of 

the present invention showing how the attackers, targeted hosts and events are related in 
|4 time; 

FIG. 4 shows a temporal display according to an embodiment of the present invention 


HJ showing frequencies of security events displayed by the time of detection and intended 


m 
in 


m 


FIG. 5 shows a mission impact display according to an embodiment of the present 
invention showing dependencies between missions, the mission-critical tasks that support the 


rjj missions, and the cyber resources needed for the mission-critical tasks; and 


FIG. 6 shows a mission impact display according to an embodiment of the present 
20 invention showing what cyber resources and mission-critical tasks will be affected by a 
breach of a specific device. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Collection of Information 

The present invention is based upon a study of how military and commercial 
25 information security analysts currently use information and known tools to achieve 
situational awareness and to assess mission impact of potential security events. 

The embodiments of the present invention have been illustrated using the Virtual 
Reality Modeling Language (VRML), which easily permits the creation of displays in three 
dimensions; however, one can use any other suitable modeling language known in the art. 
30 VRML can be viewed using a viewer such as, for example, the Intervista WorldView, by 
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Intervista, now owned by Computer Associates of Islandia, NY. Visualizations also may be 
rendered in the Intervista WorldView VRML viewer, or using any other tool known to one 
skilled in the art. An application program was developed in C++ on a Pentium platform to 
convert the temporal and mission impact data of a test database into the VRML visualizations 
5 presented herein. 

Temporal Displays 

Figure 1 shows a sample of a temporal event scene, comprised of the following 
elements. The two main elements are a vertical 'Vail" 2 and a horizontal host grid 4. The 
vertical wall 2 displays temporal information in accordance with a time axis 6 and 
10 information about event type in accordance with an event axis 8. The time axis 6 is 
horizontal, while the event type axis 8 is vertical. Preferably, the time is defined by a range 
p and granularity, which are specified by the user. For example, some users are interested in 

;;| trends in time measured in hours, others are interested in trends over months and yet others 

y over one or more specific periods of time. Therefore, the time range can be days, months, 

jjj 15 years, time segments, etc., and the granularity can be expressed in days, hours, seconds, or 
1 ^ any other convenient measurement for the passage of time in regular intervals. For example, 

a user can specify the time range of January 1-10, 2000 and the granularity of 1-hour periods. 
Figure 1 focuses on a particular day in 1-hour intervals. The event type axis 8 shows classes 
(or categories) of vulnerability, types of attacks or types of probes. Figure 1 shows several 

y 

p|j 20 possible categories of events, but it will be apparent to one skilled in the art to modify the 
example shown in Figure 1 to accommodate other categories. 

Referring to Figure 1, the host grid 4 provides information about the characteristics 
and interrelation of the computer systems (or hosts) of an organization that has been the 
target of security attacks or breaches. Each host's organizational role is shown by its 

25 placement relative to an organization axis 10 and each host's location in the organization is 
shown by its placement relative to a location axis 12. In particular, Figure 1 designates each 
location in a fictional version of Hanscom military base, as Hanscom Loc. 07, Hanscom Loc. 
24, etc. Of course, each location also may be labeled as Floor 1, or Red Room, or Cubicle 5 
or any other designation that would be convenient given a particular layout. For example, a 

30 host 14 is shown as being in Logistics and at location Hanscom Loc. 26. The operating 


m 
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system of each host is represented by various attributes, such as geometric shape, color, etc. 
For example, Figure 1 shows cubes that may have different colors. 

Referring to Figure 1, the host grid 4 preferably also shows a relationship between 
various hosts. Lines 15, referred to as trusted relationship lines, show that the host(s) 
connected to each end of each line 15 have access to or share each other's files and 
databases, in effect forming a "trusted relationship" with each other. If one host in a trusted 
relationship is affected, its partners also may be affected. By following the trusted 
relationship lines 15, an information analyst can better assess the effect that an attack on one 
host can have on an organization's overall information infrastructure. 

It will be understood by one skilled in the art that the axes of Figure 1 can be changed 
in orientation in a variety of ways while staying within the scope and spirit of the present 
invention. For example, the relative positions of the time and event axis on the vertical wall 
2 can be swapped, as can the relative positions of the axis of host grid 4. Furthermore, the 
relative positioning of the vertical wall 2 and host grid 4 can be changed such that the vertical 
wall 2 is horizontal, while the host grid 4 is vertical. 

Referring to Figure 1, association lines 16 show, for all security-related events that 
occur at a specific time (on axis 6) and are of a specific event type (on axis 8), the specific 
hosts affected (on host grid 4). Specifically, a cluster of association lines 16 emanate from 
security events located at 16b on the vertical wall 2. As can be seen, security events at 16b 
occurred between 8:00 and 9:00PM and are of event type Network Access. A particular 
association line 16a goes from location 16b on vertical wall 2 to host 17 of host grid 4. From 
host grid 4, a user can see that host 17 is part of the Command and Control system located at 
Hanscom Loc. 07. As will be discussed further with respect to Figure 2, the association lines 
16 shown in phantom and projecting behind the vertical wall 2 are used to trace the source of 
the event or attack. 

While Figure 1 shows events as occurring in discrete points in time, it is also possible 
to use the vertical wall 2 to show duration of events. For example, this could be shown by 
having point 16b on wall 2 have a horizontal extent along time axis 6. 

Figure 2 shows the rear portion of the vertical wall 2 of Figure 1, as well as an attack 
source grid 20. As discussed in reference to Figure 1, association lines 16 are used to trace 
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an event occurring at a certain point, such as each event at 16b, to a representation 22 of its 
source or sources on the attack source grid 20. 

The attack source grid 20 provides information about the characteristics of the attack 
sources, such as IP address, number of hops used to reach the target, and/or any other factor 
5 relevant to one skilled in the art. For example, a user can click on the geometric 
representations 22 of attack sources shown on the attack source grid 20 to obtain information 
about a particular attack source. The attack source grid 20 also can be used to show 
information about which specific sensors detected a given event or events, and the times that 
those sensors detected the event(s). The information can be displayed in any desired way or 
10 format, such as, for example, in a chart or box appearing on the screen after the user clicks on 
a given attack source representation 22. 

h4 Figure 2 shows attack sources as cubes with black and white shadings, however, the 

1*3 

q present invention encompasses any desired geometric shape, any desired color and/or the use 

M of any other visual attributes. For example, a blinking geometric shape may be used to 

y 

i|j 15 represent an active attack source or a given color may be used to represent an attack source 

!f| that previously attacked the same target host. The characteristics and other information 

m pertaining to the attack sources likewise can be color-coded to facilitate visualization of the 

a . . 

fy situation. 

j 3 | Figure 3 shows a top-down view of the embodiments shown in Figures 1 and 2. The 

Q 20 user can simultaneously view and see the association between the attack source grid 20, the 

jtj 

timeline 6, and the host grid 4 via the association lines 16. Since this top down view does not 
show the vertical event axis 8, peak periods of attacker activity and the sequence of events 
against targeted hosts are emphasized. 

Figure 4 shows an alternative embodiment of the visualization shown in Figure 1. 

25 According to this embodiment, frequency distributions are shown on the vertical wall 2. 
Referring to Figure 4, the horizontal axis of the vertical wall 2 is divided into columns of 
time slots. In Figure 4 the time slots denote minutes, but the time slots can denote any other 
desirable time measurement specified by the user, such as, for example, days, minutes, 
seconds, months, years or time ranges (such as, for example, the first ten days of every 

30 month). The vertical axis 2 is divided into rows of event types 8 as has been discussed 
previously with respect to Figure 1 . As a specific event type 8 is recorded in each time slot, a 
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frequency bar 24 is formed. As the same event type 8 recurs in the same time slot, the 
frequency bar 24 increases in height. The user can click on the frequency bar 24 to get more 
information. Upon clicking on the frequency bar 24, association lines 26 connect the 
frequency bar 24 to the target host or hosts that experienced the security events. Also, upon 
5 clicking on a specific target host, all association lines of that target host are shown and 
therefore display the various security events that this particular host has experienced at 
various points in time. For each of these points in time the user then can see the frequency 
with which the specific target host came under attack or threat of attack. This frequency 
information also allows the user to determine the event type or types 8 that is/are most often 
10 directed against the clicked-on target host. 

As discussed in connection with Figure 1, preferably the host grid 4 also shows a 
relationship between various hosts. Trusted relationship lines 15 indicate which hosts are in 
Q a "trusted relationship" with each other, thereby allowing an information analyst to better 

q 

Pi access the effect that an attack on one host can have on an organization's overall information 

W 15 infrastructure. The visualization shown in Figure 4 can aid a user to make a number of data 

i';H correlations, such as, for example, determining which target host is most susceptible to a 
particular event type during a particular time. For example, it may be determined that certain 

is 

Q operating systems are most susceptible to a Services Access event during the early hours of 

i U 

| a || the morning. 

m 

20 Mission Impact Displays 

In order to implement the mission impact display visualizations, it is necessary first to 
collect and store information about the interdependencies between several levels of 
representations of both computer (or host) system resources and organizational mission 
objectives. For example, a five level representation hierarchy may be used, with each level 
25 being defined (from bottom to top level) as follows: i) network devices of computer system 
resources (as defined above); ii) simple resources of computer system resources (as defined 
above); iii) compound resources of computer system resources (as defined above); iv) 
mission-critical tasks and v) missions (or goals). Missions (or goals) are the overall 
objectives that an organization is working towards accomplishing through utilization of its 


rli 
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information technology infrastructure. Mission-critical tasks are sub-missions (or sub-goals) 
that are a necessary part of an organization's accomplishment of particular missions. 

Figure 5 shows an embodiment of 3-D mission impact visualization. Figure 5 shows 
the five layers discussed: network devices 52 (referred to in Figure 5 as "network devices"), 
simple resources 56, 58, 60, compound resources 64, 68, mission critical tasks 70 and 
missions 72. Each layer is preferably represented in a different color for clarity of 
perception. It will be apparent to one skilled in the art that all of the geometric and other 
visual attributes shown in Figure 5 to represent various interdependencies, network devices, 
etc., are used by way of example only and can be substituted by any other visual attributes. 

Referring to Figure 5, the network devices 52 are represented as darkly shaded cubes 
and occupy a single layer. As shown in Figure 5, each device 52 is labeled with its name. 
Optionally, the mission display visualization may have drill down capabilities to allow a user 
to click on a network device 52 and obtain additional information about it, such as, for 
example, its IP address, administrator, or any other network device information desired by 
the user. The additional information can be displayed in any desired way or format, such as, 
for example, in a chart or box appearing on the screen after the user clicks on a given 
network device 52. 

A simple resources layer is logically located one level above the network devices 
layer and comprises simple resources supported by network devices 52. As discussed above, 
a single network device 52 can support one simple resource or a plurality of simple 
resources. Referring to Figure 5, three different geometrical object shapes are used to 
represent three types of simple resources: a light shaded cube 56 represents an application 
program, a cylinder 58 represents a data store and a sphere 60 represents peripheral devices 
that are not directly network-addressable (i.e. peripheral devices that do not have their own 
IP address), 

A compound resources layer is logically located one level above the simple resources 
layer and comprises resources that are more complex and represent a service to an 
organization, such as, for example, an e-mail service or web access. Compound resources 
combine one or more network devices 52 and simple resources 56, 58, 60 and even other 
compound resources 64, 68, to provide their service. Referring to Figure 5, compound 
resources are arranged in one or more rings above the level of the simple resources layer. 
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Referring to Figure 5, compound resources are represented as either a diamond shape 
64 or a cone shape 68. A diamond shape 64 indicates the resource is an AND type which 
requires all of the compound and/or simple resources upon which it is dependent. For 
example, Figure 5 shows that one of the diamond-shaped compound resources 64a, labeled 
5 "Network/' has an AND relationship with two simple resources 56, as shown by association 
lines 74a. This means that for compound resource 64a to function properly, both of the 
simple resources with which it has an AND relationship must be fully operational. In 
addition, of course, for compound resource 64a to function properly it also requires its third 
AND dependency, compound resource 68. 
10 Referring to Figure 5, a cone shape 68 indicates the resource is an OR type which 

requires only one of the compound and/or simple resources upon which it is dependent. For 
q example, the cone-shaped compound resource 68 in Figure 5 has an OR relationship with 

^ two simple resources below it. This means that one of those two simple resources can be 

ill 

y substituted for another; i.e., only one of the two has to be fully operational for the compound 
,Sg| 15 resource 68 to function properly. 

I'D A compound resource can have either an AND or an OR relationship with other 

Q compound resources or with simple resources. For example, one compound resource, such 

;|| as, for example, an e-mail system can have an OR relationship with another compound 

tfl resource, such as, for example, another e-mail system, as well as with two simple resources, 

Q 

!U 20 such as, for example, a printer and a fax machine. To carry this example further, in the event 
that one e-mail system experiences a security breach which renders it unreliable, the user can 
either switch over to using the other e-mail system or the user can choose to print out his/her 
messages and fax them to the recipient. 

When a compound resource depends on simple resources, the simple resources 
25 preferably appear in the layer below that compound resource. The simple resources are 
placed below the compound resource because the simple resources may have relationships 
with many compound resources; the hierarchical layer structure makes it easier to clearly 
depict these multiple relationships. 

A mission critical tasks layer is located above the compound resources layer and 
30 comprises objects each of which represents specific tasks that must be achieved by the 
organization, such as, for example, Air Tasking Order generation, production of mission 
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situation reports, shipping of supplies, or any other tasks to be achieved by an organization as 
part of achieving its missions. Referring to Figure 5, the mission critical tasks 70 are 
represented by lightly shaded spheres. 

A missions layer is the top-most layer and comprises objects that represent the major 
5 goals or missions that an organization is striving to achieve. Each mission requires multiple 
mission-critical tasks to be accomplished for the mission to be achieved, utilizing each of the 
lower layers. Referring to Figure 5, the missions 72 are represented by darkly shaded 
spheres. 

Referring to Figure 5, the association lines 74 that connect objects in each layer 
10 represent dependencies. Specifically, the association lines represent how objects at the 
higher layers depend upon the successful functioning of objects at lower layers. A user of 
q Figure 5 to assess mission impact may utilize the following procedure. First the user 

jjjjj assumes that one or more objects are not functioning successfully (presumably due to a 

UJ security threat) and then via the association lines determines which other objects are affected 

l«ajj 15 by that lack of functionality. For example, a user may click on a selected network device to 


see the association lines 74 between the selected network device and the associated 


□ resource(s), sub-mission(s) and mission(s). The user may see the entire display shown in 

m Figure 5, with the association lines highlighted or, alternatively, see a limited display, 


showing only the resource(s), sub-mission(s) and mission(s) associated with the selected 
|| 20 network device. The user may select any network device, resource, sub-mission or mission 
in order to see the association lines emanating from the selection both up and down the five 
layers shown in Figure 5. 

The association lines 74 can vary in thickness or color, such that stronger 
dependencies can be shown using thicker association lines 74 and/or brighter colors, while 
25 weaker dependencies can be shown using thinner association lines 74 and/or lighter colors. 
Many other variations in dependency representations will be apparent to one skilled in the 
art. 

Figure 5 shows an embodiment where a user selected to see all the dependencies 
within and between the hardware devices, simple resources, compound resources, mission 
30 critical tasks and missions layers. Alternatively, a user can select to view only one or several 
layers at a time. 


15 

BRMFSl 29375 1 v3 


4365/4 



Figure 6 shows an embodiment of the present invention which combines the mission 
impact display with a host grid 76, the host grid 76 being similar to the host grid 4 shown in 
the temporal display embodiments discussed above. The lower portion of the display shows 
a host grid 76, which displays the network devices 52 that are on a given network (hence the 
referral to such hardware devices as also being "network devices"). Note that in Figure 1, 
such network devices 52 of Figure 6 were discussed as being only host computer systems 
(such as hosts 14 and 17). The upper portion of the display shows resources (simple or 
compound), mission-critical tasks and missions that require those devices. In order to see 
which resources, tasks and missions are associated with a given network device 52, a user 
clicks on the network device of interest. Referring to the embodiment shown in Figure 6, the 
user had clicked on a specific device 52 on the network that may have sustained an attack or 
that is believed to be under threat of an attack. As can be seen, the user then sees the 
following layers supported by device 52: simple resource 56; compound resources 64, 68; 
mission-critical tasks 70; and missions 72. The display allows the user to see the 
interconnections between the layers and the potential impact on the organization's missions 
that may result if the selected network device 52 is compromised. The display also allows 
the user to see any available redundancies as seen through, for example, differences in object 
shape and/or color. For example, network devices 52 that offer redundant support for simple 
resources 56 can be shown in a different color and/or shape than other simple resources; 
alternatively, the association lines between redundant and supported elements can be draw in 
a distinguishing color, width, etc. 

With regard to complete physical realization of the present invention, it can be 
implemented on known computer systems using any one of a variety of known software 
engineering techniques. 

It will be understood that the specification and figures are illustrative of the present 
invention and that other embodiments within the spirit and scope of the invention will 
suggest themselves to those skilled in the art. 

All references cited herein are incorporated by reference. 
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